Framework: Laravel v7.22.x invalidates all previous cookies

Created on 27 Jul 2020 · 5Comments · Source: laravel/framework

Laravel Version: 7.22.1

Description:

A change introduced in commit https://github.com/laravel/framework/commit/594a3abdec383b55ce32a9e960263f55b41318e2#diff-de6296975e0aca009488e69826a54f33 adds a prefix to the cookies upon encryption and if it's not there it throws the cookie away. This results in all pre 7.22.0 cookies being invalid after upgrade.

Applying this "update" would mean we would lose all currently stored discount, utm and referal data, resulting in lost buyers and money.

Please consider accepting old cookies and upgrading them on the fly to the new format instead of dropping them. In it's current form this is a breaking change which should warrant a major version change in my opinion.

Also I don't see why is prefixing cookies is an improvement, the encrypter already results in different output on every run (but maybe I'm wrong here).

Source

netpok

👍2

Most helpful comment

Yes, all cookies will be lost. This is noted on the blog post. No, it won't be a major version because it is a security fix. Cookies should not be considered permanent data storage. Sorry for the trouble.

taylorotwell on 27 Jul 2020

👍2 ❤1

All 5 comments

I have the same problem, for me it caused some cookie tests to fail.

SamuelWei on 27 Jul 2020

taylorotwell on 27 Jul 2020

👍2 ❤1

@taylorotwell I guess you meant shouldn't.

I'm also curious about why is it considered a security fix, I guess currently this is not a public information while the update is rolled out. When should we expect it?

netpok on 27 Jul 2020

@netpok I will likely not talk more about that until next week or so. It is not particularly an urgent fix if you are not using the cookie session driver. So you could feel free to wait to deploy it until non-peak hours on your application.

taylorotwell on 27 Jul 2020

Thanks for the info.

netpok on 27 Jul 2020

Was this page helpful?

0 / 5 - 0 ratings